name: mosquitto
networks:
  traefik-net:
    external: true
services:
  mosquitto:
    image: eclipse-mosquitto
    hostname: mosquitto
    env_file: .mosquitto.env
    user: ${PUID}:${PGID}
    networks:
      traefik-net:
        aliases:
          - mqtt
    volumes:
      - ${DATADIR}/appdata:/mosquitto/data
      - ${DATADIR}/config:/mosquitto/config
      - ${DATADIR}/logs:/mosquitto/log
      - ${DATADIR}/configinc:/mosquitto/configinc # maps the default folder for password.txt file
    restart: unless-stopped

    # ports 1883, 8883 and 9001
    # 9001 not implemented
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # tcp services
      # -------------
      - traefik.tcp.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${SERVICE_PORT}
      #- "traefik.tcp.services.${APPLICATION_NAME}-secure-svc.loadbalancer.server.port=${SECURE_SERVICE_PORT}"
      #
      # tcp routers
      # ------------
      # limit router to mqtt ":1883" entrypoint
      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.entrypoints=mqtt
      # set match criteria for router
      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.rule=HostSNI(`*`)
      # assign svc target to routers
      - traefik.tcp.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
      #
      # limit router to mqttsecure ":8883" entrypoint
      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=mqttsecure
      # set match criteria for router
      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.rule=HostSNI(`${APPLICATION_NAME}.${DOMAINNAME}`) || HostSNI(`mqtt-px.${DOMAINNAME}`)
      # set router to be dedicated to secure requests only for the host specified in match criteria 
      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls=true
      # passthrough tls
      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.passthrough=true
      # generate certificates using following certresolver
      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
      # assign svc target to routers
      #- "traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-secure-svc"
      - traefik.tcp.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc # use same svc as non-secure router to avoid issues with certificates on mosquitto